Send documentation comments to mdsfeedback-doc@cisco.com.
27-9
Cisco MDS 9000 Family Fabric Manager Configuration Guide
OL-6965-03, Cisco MDS SAN-OS Release 2.x
Chapter 27 RADIUS and TACACS+
Configuring TACACS+

About TACACS+

TACACS+ is a client/server protocol that uses TCP (TCP port 49) for transport requirements. All
switches in the Cisco MDS 9000 Family provide centralized authentication using the TACACS+
protocol. The addition of TACACS+ support in Cisco MDS SAN-OS Release1.3(x) enables the
following advantages over RADIUS authentication:
Provides independent, modular AAA facilities. Authorization can be done without authentication.
TCP transport protocol to send data between the AAA client and server, using reliable transfers with
a connection-oriented protocol.
Encrypts the entire protocol payload between the switch and the AAA server to ensure higher data
confidentiality. The RADIUS protocol only encrypts passwords.

Enabling TACACS+

By default, the TACACS+ feature is disabled in all switches in the Cisco MDS 9000 Family. You must
explicitly enable the TACACS+ feature to access the configuration and verification commands for fabric
authentication. When you disable this feature, all related configurations are automatically discarded.

Setting the TACACS+ Server

If a secret key is not configured for a configured server, a warning message is issued if a global key is
not configured. If a server key is not configured, the global key (if configured) is used for that server (see
the “Setting the Global Preshared Key” section on page 27-7).
To add a TACACS+ server, follow these steps:
Step 1 Choose Switches > Security > AAA in Fabric Manager or choose Security > AAA in Device Manager.
Step 2 Choose the Servers tab. You see the RADIUS or TACACS+ servers configured.
Step 3 Click Create Row in Fabric Manager or Create in Device Manager. You see the Create Server dialog
box.
Step 4 Select the tacacs+ radio button to add a RADIUS server.
Step 5 Set the IP address, authentication port and accounting port values.
Step 6 Select whether the shared key is plain or encrypted in the KeyType field and set the key in the Key field.
Step 7 Set the timeout and retry values for authentication attempts.
Step 8 Click Create to create this TACACS+ server or click Close to exit the dialog box without creating the
new server.

Defining Custom Attributes for Roles

Cisco MDS 9000 Family switches use the TACACS+ custom attribute for service shells to configure
roles to which a user belongs. TACACS+ attributes are specified in name=value format. The attribute
name for this custom attribute is cisco-av-pair. The following example illustrates how to specify roles
using this attribute:
cisco-av-pair=shell:roles=”network-admin vsan-admin”